diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-09-27 11:38:59 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2016-09-27 11:38:59 +0000 |
commit | 0ee03af814c34d9c1cad8535b46ad65e96426c8e (patch) | |
tree | 048eb19fea94d6b17cbb00b004197c25901409c1 /config | |
parent | fca610e5cbf5382f3814120227a0ca11440c8a9f (diff) | |
parent | 3870138960b6918d999f879bed5e8d938ea43fae (diff) | |
download | gitlab-ce-0ee03af814c34d9c1cad8535b46ad65e96426c8e.tar.gz |
Merge branch '22450-restrict-origin' into 'master'
Set a restrictive CORS policy for the API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450
See merge request !1998
Diffstat (limited to 'config')
-rw-r--r-- | config/application.rb | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/config/application.rb b/config/application.rb index 4792f6670a8..1ebdb43d662 100644 --- a/config/application.rb +++ b/config/application.rb @@ -99,13 +99,24 @@ module Gitlab config.action_view.sanitized_allowed_protocols = %w(smb) - config.middleware.use Rack::Attack + config.middleware.insert_before Warden::Manager, Rack::Attack # Allow access to GitLab API from other domains - config.middleware.use Rack::Cors do + config.middleware.insert_before Warden::Manager, Rack::Cors do + allow do + origins Gitlab.config.gitlab.url + resource '/api/*', + credentials: true, + headers: :any, + methods: :any, + expose: ['Link'] + end + + # Cross-origin requests must not have the session cookie available allow do origins '*' resource '/api/*', + credentials: false, headers: :any, methods: :any, expose: ['Link'] |